File ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch of Package ovmf.6568
From f09c718be19515b6b5beef781b183c288d2e380e Mon Sep 17 00:00:00 2001
From: Jiaxin Wu <Jiaxin.wu@intel.com>
Date: Mon, 29 Apr 2019 09:51:53 +0800
Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length
(CVE-2019-14559).
v3: correct the coding style.
v2: correct the commit message & add BZ number.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
This patch is to check the received package length to make sure the package
has a valid length field.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
(cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af)
NOTE:
The path to Ip4Input.c is modified to fit the older edk2.
---
.../Universal/Network/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++----
1 file changed, 37 insertions(+), 9 deletions(-)
diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
index 09b8f2bac235..d2ef19c52d7e 100644
--- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
+++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c
@@ -1,7 +1,7 @@
/** @file
IP4 input process.
-Copyright (c) 2005 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
This program and the accompanying materials
@@ -723,10 +723,6 @@ Ip4PreProcessPacket (
//
// Check if the IP4 header is correctly formatted.
//
- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
- return EFI_INVALID_PARAMETER;
- }
-
HeadLen = (Head->HeadLen << 2);
TotalLen = NTOHS (Head->TotalLen);
@@ -820,6 +816,30 @@ Ip4PreProcessPacket (
return EFI_SUCCESS;
}
+/**
+ This function checks the IPv4 packet length.
+
+ @param[in] Packet Pointer to the IPv4 Packet to be checked.
+
+ @retval TRUE The input IPv4 packet length is valid.
+ @retval FALSE The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+ IN NET_BUF *Packet
+ )
+{
+ //
+ // Check the IP4 packet length.
+ //
+ if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/**
The IP4 input routine. It is called by the IP4_INTERFACE when a
IP4 fragment is received from MNP.
@@ -856,6 +876,10 @@ Ip4AccpetFrame (
goto DROP;
}
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
@@ -902,10 +926,14 @@ Ip4AccpetFrame (
//
ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
- // Packet may have been changed. Head, HeadLen, TotalLen, and
- // info must be reloaded bofore use. The ownership of the packet
- // is transfered to the packet process logic.
- //
+ // Packet may have been changed. Head, HeadLen, TotalLen, and
+ // info must be reloaded before use. The ownership of the packet
+ // is transferred to the packet process logic.
+ //
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
Status = Ip4PreProcessPacket (
--
2.25.0
From ea1c337e728d84ecc76e6c623edad5685b63dddf Mon Sep 17 00:00:00 2001
From: Siyuan Fu <siyuan.fu@intel.com>
Date: Fri, 21 Feb 2020 10:14:18 +0800
Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets
(CVE-2019-14559)
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
This patch triggers the RecycleEvent for invalid ARP packets.
Prior to this, we would just ignore invalid ARP packets,
and never free them.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Nicholas Armour <nicholas.armour@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
(cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8)
NOTE:
The path to ArpImpl.c is modified to fit the older edk2.
---
MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
index afe49298781d..e3922bb11216 100644
--- a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
+++ b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c
@@ -1,7 +1,7 @@
/** @file
The implementation of the ARP protocol.
-Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at<BR>
@@ -119,7 +119,7 @@ ArpOnFrameRcvdDpc (
//
// Restart the receiving if packet size is not correct.
//
- goto RESTART_RECEIVE;
+ goto RECYCLE_RXDATA;
}
//
@@ -131,7 +131,7 @@ ArpOnFrameRcvdDpc (
Head->OpCode = NTOHS (Head->OpCode);
if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
- goto RESTART_RECEIVE;
+ goto RECYCLE_RXDATA;
}
if ((Head->HwType != ArpService->SnpMode.IfType) ||
--
2.25.0
